WO2013063783A1 - Procédé et dispositif de gestion de canal de sécurité de données - Google Patents

Procédé et dispositif de gestion de canal de sécurité de données Download PDF

Info

Publication number
WO2013063783A1
WO2013063783A1 PCT/CN2011/081738 CN2011081738W WO2013063783A1 WO 2013063783 A1 WO2013063783 A1 WO 2013063783A1 CN 2011081738 W CN2011081738 W CN 2011081738W WO 2013063783 A1 WO2013063783 A1 WO 2013063783A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user equipment
trusted
authentication
trusted relationship
Prior art date
Application number
PCT/CN2011/081738
Other languages
English (en)
Chinese (zh)
Inventor
李欢
时书锋
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to JP2014539203A priority Critical patent/JP5922785B2/ja
Priority to EP11874986.0A priority patent/EP2763357B1/fr
Priority to CN201180002592.5A priority patent/CN103201986B/zh
Priority to PCT/CN2011/081738 priority patent/WO2013063783A1/fr
Publication of WO2013063783A1 publication Critical patent/WO2013063783A1/fr
Priority to US14/269,965 priority patent/US9800563B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • Embodiments of the present invention relate to the field of communications technologies, and, more particularly, to a method and a device for processing a data secure channel. Background technique
  • the S2c interface uses the DSMIPv6 (Mobile IPv6 Support for Dual Stack Hosts) protocol, which can be used for trusted non-3GPP access networks, non-trusted non-3GPP access networks, and 3GPP access networks to access EPS networks.
  • DSMIPv6 Mobile IPv6 Support for Dual Stack Hosts
  • the UE accesses the EPC from the non-3GPP access network through the S2c interface
  • the UE establishes an SA with the P ⁇ -GW (Packet Data Network Gateway, also called the PGW).
  • PGW Packet Data Network Gateway
  • the PDN-GW When the UE accesses the EPC through the S2c interface, the PDN-GW transmits the authentication and authentication request and the response message through the S6b interface with the AAA (Authentication Authorization Account ing) server, thereby making the PDN- The GW completes the authentication and authentication of the UE, and obtains information such as mobility parameters and subscription data from the AAA server.
  • the P-GW and the AAA server also pass through the AAA proxy.
  • the 3GPP defines that after establishing the DSMIPv6 tunnel between the UE and the PDN-GW, the UE establishes a SA with the PDN-GW to protect the DSMIPv6 signaling.
  • P ⁇ -GW may initiate establishment of a sub-security association Chi Id SA with the UE (Chi ld Secur ty As so ia t ion, sub-security alliance) protects the data plane; but when the UE accesses the EPC from the non-trusted non-3GPP access network, the UE and the non-3GPP access gateway ePDG
  • An IPSec secure channel is established between the evo lved PDG and the evolved packet data gateway to protect the data packets between the UE and the P ⁇ -GW through the IPSec secure channel. That is, when the UE accesses the EPS in a trusted manner from the non-3GPP network, the Child SA can be established on the S2c tunnel to protect the integrity and confidentiality of the data plane; and access from the non-3GPP network in an untrusted manner. At the same time, data integrity protection and confidentiality protection will be provided by the IPSec secure channel between the UE and the ePDG. When the UE accesses the EPC from the 3GPP access network through the S2c interface, the UE and the P ⁇ -GW will pass the 3GPP.
  • the P ⁇ _GW needs to distinguish whether the access scenario is a trusted non-3GPP access network access, a non-trusted non-3GPP access network access, or a 3GPP access network access. Complete the process of establishing or updating different data security channels.
  • the SA may be established first between the UE and the P ⁇ _GW. This is to save the SA establishment time when switching to the non-3GPP access network.
  • the SAs between the UE and the P ⁇ -GW may not be released immediately, but may remain for a period of time until the SA timeout is automatically released.
  • the SA may already exist, but the SA is established before.
  • the P ⁇ -GW obtains the trusted relationship of the access network at the time, that is, the information that the access network is trusted or non-trusted, the 3GPP access or the 3GPP access is not necessarily the current access network.
  • the trusted relationship is consistent. Therefore, the data security channel needs to be established or updated according to the switched access scenario.
  • the P ⁇ -GW needs to distinguish the access scenario. Complete the establishment or update of different ways of data security channels. However, the PDN-GW cannot determine the current UE access mode, and it cannot correctly establish or update the data security channel. Summary of the invention
  • the embodiment of the invention provides a method and a device for processing a tunnel data security channel, which can ensure that the S2c tunnel data security channel is correctly established or updated.
  • a method for processing a tunnel data secure channel including: receiving an access side The authentication request for determining the trusted relationship of the user equipment access; when the S6b interface session of the user equipment exists, sending a message containing the trusted relationship information to the packet data gateway, so that the packet data gateway according to the trusted relationship information Establish or update the S2 c tunnel data security channel.
  • a method for processing a tunnel data security channel including: receiving a packet data network connection establishment request of a user equipment, when an S6b interface session of the user equipment exists or is secure with the user equipment.
  • the authentication request message is sent to the authentication device, and the authentication response message sent by the authentication device is received, where the authentication response message includes the trusted relationship information accessed by the user equipment, according to the trusted Relationship information, establish or update the S2c tunnel data security channel.
  • an authentication and authentication device including: a receiving unit, configured to receive an authentication authentication request of an access side; an authentication unit, configured to authenticate the authentication authentication request, and determine a user equipment a trusted relationship of the access, when the S6b session of the user equipment exists, the notification sending unit sends a message including the trusted relationship information to the packet data gateway, and the sending unit is configured to send a message to the packet data gateway, The message includes the trusted relationship information.
  • a gateway device including: a receiving unit, configured to receive a packet data network connection establishment request of the user equipment, and receive an authentication response message sent by the authentication and authentication device, where the authentication response message includes a trusted relationship information that is accessed by the user equipment, and an acknowledgment unit, configured to: when the receiving unit receives the packet data network connection establishment request, confirm that if the S6b session of the user equipment exists or is related to the user equipment If there is a security association, the sending unit sends an authentication request message to the authentication device; the sending unit is configured to send the authentication request message to the authentication device, and the establishing unit is configured to use, according to the trusted relationship, Information, establish or update the S2c tunnel data security channel.
  • the authentication authentication device when the UE accesses the EPC from the S 2 c interface, the authentication authentication device sends a message including the trusted relationship information accessed by the user equipment, or includes the trusted relationship of the user equipment access in the authentication response message. Information, the gateway device establishes or updates a data security channel according to the trusted relationship information contained in the message, and ensures that a correct data security channel is established.
  • Figure 1 is a block diagram of a system that uses the S 2c interface to access an EPS network in a non-roaming scenario specified by the 3GPP.
  • FIG. 2 is a processing method of a data secure channel for a non-3GPP access network to access an EPS network by using an S2c interface according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a process for processing a data security channel of a trusted non-3GPP access network using an S2c interface to access an EPS network according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a process of a method for processing a data security channel of an untrusted non-3GPP access network using an S2c interface to access an EPS network according to an embodiment of the present invention.
  • 5 is a non-trusted non-3GPP access network using an S2c interface according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a method for accessing a data security channel of an EPS network by using an S2c interface according to another embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a process of a method for processing a data security channel of a trusted non-3GPP access network using an S2c interface to access an EPS network according to another embodiment of the present invention.
  • FIG. 8 is a schematic flowchart of a process of a method for processing a data security channel of an untrusted non-3GPP access network using an S2c interface to access an EPS network according to another embodiment of the present invention.
  • FIG. 9 is a schematic flowchart of a process of a method for processing a data security channel of a 3GPP access network using an S2c interface to access an EPS network according to another embodiment of the present invention.
  • FIG. 10 is a schematic flowchart of a process of a method for processing a data security channel of a 3GPP access network using an S2c interface to access an EPS network according to still another embodiment of the present invention.
  • FIG. 11 is a schematic flowchart of a process for processing a data security channel of a 3GPP access network using an S2c interface to access an EPS network according to still another embodiment of the present invention.
  • FIG. 12 is a block diagram of an authentication authentication device in accordance with one embodiment of the present invention.
  • FIG. 13 is a block diagram of a gateway device in accordance with another embodiment of the present invention.
  • FIG. 14 is a block diagram of a gateway device in accordance with yet another embodiment of the present invention.
  • Figure 1 is a system architecture diagram of the 3GPP-defined S2c interface for accessing an EPS network. Embodiments of the present invention are applicable to the EPS network architecture shown in FIG.
  • the S2c interface can be used for non-3GPP access networks and 3GPP networks for accessing EPS networks.
  • the UE will connect directly to the P ⁇ -GW through the non-3GPP access network; and for the non-trusted non-3GPP access network, the UE needs the evolved packet data gateway ePDG that is trusted by the home network. , and then connect to the P ⁇ -GW network element.
  • the UE is connected to the P ⁇ _GW network element through the S_GW (Serving Gat eway).
  • the P ⁇ -GW When the UE accesses the EPC from the S2c interface through the P ⁇ _GW, if the EPC is accessed by the trusted non-3GPP access network, the P ⁇ -GW needs to initiate the establishment of the sub-security association ch ild SA to protect the data plane; The UE accesses the EPC from the non-trusted non-3GPP access network, and the P ⁇ _GW establishes a DSMIPv6 secure channel through the IPSec channel between the UE and the ePDG to perform integrity protection and confidentiality protection on the data; if it is accessed by the 3GPP When the network accesses the EPC, the UE and the P ⁇ -GW will provide data security protection through the 3GPP's own authentication and encryption mechanism.
  • the P ⁇ -GW needs to know whether the current UE is accessed from a trusted non-3GPP access network, a non-trusted non-3GPP access network, or a 3GPP access network. This is the correct establishment or update of S2c.
  • the premise of the tunnel data security channel In particular, when the UE accesses the EPC through the S2c interface after switching between the trusted non-3GPP access network, the 3GPP access network, and the non-trusted non-3GPP access network, the P ⁇ -GW needs to distinguish the access scenario to complete. The establishment or update of the correct data security channel.
  • the authentication authentication device determines the trusted relationship of the UE access, and sends the trusted access device to the P ⁇ -GW.
  • the relationship indication message, or the authentication response message sent to the PDN-GW includes an indication that the UE accesses the trusted relationship, and the P ⁇ -GW establishes or updates the data security channel according to the trusted relationship of the UE access indicated in the message. , to ensure the establishment of the correct data security channel.
  • the authentication authentication device in the embodiment of the present invention is exemplified by an AAA server. In other implementations, other devices such as an HSS (Home Subscribing Server) may be used as the authentication and authentication device in the embodiment. .
  • 2 is a processing method of a data security channel for accessing an EPS network by using an S2c interface according to an embodiment of the present invention.
  • Determining, by the authentication device, the trusted relationship of the user equipment access sending a message including the user equipment access trusted relationship indication to the P ⁇ -GW, and the P ⁇ -GW according to the trusted relationship of the user access indicated in the message, Establish or update a data security channel to ensure that the correct data security channel is established.
  • 201. Receive an authentication authentication request on the access side.
  • the AAA server receives the authentication request of the access side, and applies for authentication of the accessed UE. Because the UE accesses the EPC in different ways, when the UE accesses from the trusted non-3GPP access network, the access side here refers to the trusted non-3GPP access network, and when the UE is connected from the non-trusted non-3GPP access network On entry, the access side here refers to a non-trusted non-3GPP access network or ePDG.
  • the AAA server determines whether the user equipment access is trusted or untrusted according to the parameters carried in the authentication authentication request of the access side, and the parameters include one or more of the following: an access network identifier ANID, a visited network Identifies the Visi ted Ne twork Ident I ty (this flag is only required in the roaming scenario), the access type, and the security mechanism used in the access network.
  • the AAA server determines whether the S6b interface session of the UE already exists, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier Ses s on ID and the user equipment identifier. If an S6b interface session exists, the P__GW has applied to the AAA server for authentication of the UE. This UE access should be a handover scenario.
  • the AAA server sends a message to the P-GW, which includes information indicating that the UE accesses the trusted relationship, that is, whether the UE access is a trusted non-3GPP access or a non-trusted non-3GPP access.
  • the P ⁇ -GW establishes or updates the S2c tunnel data security channel according to the received trusted relationship of the UE access.
  • the S6b interface session of the existing UE when receiving the authentication authentication request of the access side, if the S6b interface session of the existing UE exists, sending a message including the UE accessing the trusted relationship information to the P ⁇ -GW, so that the P ⁇ -GW The S2c tunnel data security channel can be established or updated correctly.
  • FIG. 3 is a schematic flowchart of a method for processing a data security channel of a trusted non-3GPP access network using an S2c interface to access an EPS network according to an embodiment of the present invention.
  • the UE sends an EAP-RSP authentication request message to the trusted non-3GPP access network.
  • the trusted non-3GPP access network sends an authentication authentication request to the AAA server, where the authentication authentication request includes an access network identifier ANID, an access type, and may also include parameters such as a security mechanism used in the access network. In the roaming scenario, this authentication request is to be accessed through the AAA server proxy.
  • the network forwards to the AAA server, and the authentication authentication request also includes the visited network identifier, that is, the Verified Network Identity.
  • the AAA server determines whether the UE access is a trusted access or a non-trusted access according to the parameters in the received request, and is determined to be a trusted access, that is, the UE is accessed by the trusted non-3GPP access network.
  • the parameters include one or more of the following: an access network identifier ANID, a visited network identifier, a Social Network Identity (which is required only in a roaming scenario), an access type, and a security mechanism used in the access network. Wait.
  • the AAA server sends an authentication authentication response message to the trusted non-3GPP access network, where the trusted access result is included.
  • the trusted non-3GPP access network sends an EAP-REQ authentication response message to the UE, including the trusted access result.
  • the AAA server determines whether the S6b interface session of the UE exists, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier and the user equipment identifier. If there is an S6b interface session, the original P ⁇ -GW has applied for an authentication request for the UE to the AAA server.
  • the current access should be a handover scenario.
  • the AAA server sends a trusted relationship to the P ⁇ -GW, that is, the AAA server sends a trusted relationship message to the P ⁇ -GW, including the trusted relationship cell, and the value is “trusted” or “untrusted”.
  • the indication is "trusted", indicating that it is currently trusted access.
  • the P ⁇ -GW may initiate a Chi ld SA establishment process with the UE at any time. If a Chi ld SA establishment request initiated by the UE is received, the request is accepted to establish a Chi ld SA.
  • the AAA server receives the authentication authentication request sent by the trusted non-3GPP access network, and determines that the user equipment access is trusted access. If the S6b interface session of the UE already exists, the AAA server may The P-GW sends a trusted relationship message. That is to say, step 305 is performed after step 302, and there is no strict sequence of execution with steps 303, 304. Similarly, after receiving the trusted relationship message, the P-GW can initiate the Chi ld SA establishment process with the UE at any time, that is, step 306 can be performed at any time after step 305, and 303. 304 does not have a strict sequence of execution. Steps 301 through 304 are performed in the order shown in the schematic flow chart.
  • the embodiment of the present invention determines that the trusted relationship accessed by the user equipment is trusted access, and when the S6b interface session of the UE exists, Sending a message including the UE accessing the trusted relationship information to the P ⁇ -GW, so that the PDN-GW can distinguish the access scenario and complete the establishment or update of the correct data security channel.
  • FIG. 4 is a schematic flow chart of a process of a method for processing a data security channel of an untrusted non-3GPP access network using an S2c interface to access an EPS network according to an embodiment of the present invention.
  • the UE sends an EAP-RSP authentication request message to the non-trusted non-3GPP access network.
  • the non-trusted non-3GPP access network sends an authentication authentication request to the AAA server, where the authentication authentication request includes an access network identifier AN ID, an access type, and may include a security mechanism parameter used in the access network.
  • the authentication authentication request submitted by the access network needs to be forwarded to the AAA server through the AAA server proxy, and the request includes the visited network identifier, that is, the Virtual Network Identity.
  • the AAA server determines, according to the parameters in the authentication request, whether the user equipment access is trusted or untrusted, and is determined to be non-trusted access, that is, the UE is accessed by the non-trusted non-3GPP access network.
  • the parameters include one or more of the following: an access network identifier ANID, a visited network identifier, a Social Network Identity (which is required only in a roaming scenario), an access type, and a security mechanism used in the access network. Wait.
  • the AAA server sends an authentication authentication response message to the non-trusted non-3GPP access network, where the non-trusted access result is included.
  • the non-trusted non-3GPP access network sends an EAP-REQ authentication response message to the UE, where the non-trusted access result is included.
  • the AAA server determines whether the S6b interface session of the UE exists, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier and the user equipment identifier. If there is an S6b interface session, the original P ⁇ -GW has applied for an authentication request for the UE to the AAA server.
  • the current access should be a handover scenario.
  • the AAA server sends a trusted relationship message to the P-GW, including the trusted relationship cell, and the value is "trusted” or "non-trusted”. The indication is "non-trusted", indicating that the current is non-trustable. Letter access.
  • the P ⁇ -GW After receiving the message indicating that the UE accesses the untrusted access, the P ⁇ -GW does not initiate the Chi ld SA establishment process, and if it receives the Chi ld SA establishment request sent by the UE, it rejects.
  • the rejection may be as follows:
  • the cause value in No tify Pay 1 oad in the response message of the Ch i 1 d SA setup request indicates "N0-ADDITI0NAL-SAS", or "NO.Chi ld.SAS", or other reasons A value indicating that the establishment of the Ch i 1 d SA is no longer received.
  • the ⁇ -GW initiates a process of deleting the Ch i 1 d SA.
  • the AAA server receives the authentication request sent by the non-trusted non-3GPP access network, and determines that the current UE access is an untrusted access. If the S6b interface session of the UE already exists, A trusted relationship message is sent to the PDN-GW. That is to say, step 405 is executed after step 402, and there is no strict sequence of execution with steps 403 and 404. Steps 401 through 404 are performed in the order shown in the schematic flow chart.
  • the embodiment of the present invention determines that the trusted relationship accessed by the UE is an untrusted access, and when the S6b interface session related to the UE exists, Sending a message including the UE accessing the trusted relationship information to the P ⁇ -GW, so that the PDN-GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 5 is a schematic flowchart of a process of a non-trusted non-3GPP access network using a S2c interface to access a data security channel of an EPS network according to an embodiment of the present invention.
  • the UE sends an IKE authentication request to the evolved packet data gateway ePDG, requesting to establish an IPSec tunnel between the UE and the ePDG.
  • the ePDG sends an authentication request to the AAA server.
  • the authentication request includes an access network identifier, an ANID, and an access type, and may also include a security mechanism parameter used in the access network.
  • the authentication authentication request is forwarded by the AAA server proxy, and the request includes the visited network identifier, that is, Visited Network Identity.
  • the AAA server determines whether the UE access is a trusted access or an untrusted access according to the parameter in the authentication request, and determines that the UE is accessed by the non-trusted non-3GPP access network.
  • the parameters include one or more of the following: an access network identifier ANID, a visited network identifier (which is required only in a roaming scenario), an access type, and a security mechanism used in the access network.
  • the AAA server sends an authentication authentication response message to the ePDG.
  • the ePDG sends an IKE authentication response message to the UE.
  • the AAA server determines whether the S6b interface session of the UE exists, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier, the session ID, and the user equipment identifier. If there is an S6b interface session, the original PDN-GW has applied for an authentication request for the UE to the AAA server.
  • the current access should be a handover scenario.
  • the AAA server sends a trusted relationship message to the P-GW, including the trusted relationship cell, and the value is "trusted” or "non-trusted”. The indication is "non-trusted", indicating that the current is non-trustable. Letter access.
  • the Child SA After the P ⁇ -GW receives the message indicating that the UE accesses the untrusted access, the Child SA is no longer initiated.
  • the establishment process if receiving the Chi ld SA establishment request sent by the UE, rejects.
  • the rejection may be as follows:
  • the cause value in No tify Pay 1 oad in the response message of the Ch i 1 d SA setup request indicates "N0-ADDITI0NAL-SAS", or "NO.Chi ld.SAS", or other reasons A value indicating that the establishment of the Ch i 1 d SA is no longer received. If there is already a Ch i 1 d SA between the P ⁇ -GW and the UE, the ⁇ -GW initiates the process of deleting the Chi Id SA.
  • the AAA server receives the authentication authentication request sent by the egress packet data gateway ePDG, and determines that the UE access is an untrusted access. If the S6b interface session of the UE already exists, the AAA server may send the P6-interface session to the PDN-GW. Trusted relationship message. That is to say, step 505 is performed after step 502, and there is no strict sequence of execution with steps 503, 504. Steps 501 through 504 are performed in the order shown in the schematic flow chart.
  • the embodiment of the present invention determines that the trusted relationship accessed by the UE is an untrusted access, and when the existing S6b interface session of the UE exists, the sending includes the UE The information of the trusted relationship information is sent to the PDN-GW, so that the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 6 is a flowchart of a method for accessing a data security channel of an EPS network by using an S2c interface according to another embodiment of the present invention.
  • the P ⁇ -GW receives the packet data network connection establishment request, sends an authentication request to the authentication device, and establishes or updates the S2c tunnel data security channel according to the trusted relationship of the current access indicated in the response message of the authentication device.
  • the received packet data network connection establishment request is a binding update Binding Update message sent by the UE; when the UE accesses the EPC from the 3GPP access network by the S2c interface
  • the received packet data network connection establishment request is a session establishment message sent by the MME (Mobi Management Management Network Element), and the session establishment message is a packet sent by the mobility management network element to the user equipment. Sent after the data network connection request.
  • the P ⁇ -GW determines whether there is already an S6b session for accessing the UE, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier Ses s ion ID and the user equipment identifier.
  • the PDN-GW determines whether a security association is established with the UE, that is, whether the security context exists in the UE, and the security context includes the security parameter index SPI and the UE identifier. in case When the S6b interface session of the UE exists or the SA is established with the UE, the P-GW has applied to the AAA server for authentication of the UE. At this time, the PDN-GW Send an authentication request to the AAA server.
  • the P ⁇ -GW establishes or updates the S2c tunnel data security channel according to the received trusted relationship of the user equipment access.
  • the authentication request message is sent to the authentication authentication.
  • the device establishes or updates the S2c tunnel data security channel according to the trusted relationship of the user equipment access indicated in the response message of the authentication device.
  • FIG. 7 is a schematic flowchart of a method for processing a data security channel of a trusted non-3GPP access network using an S2c interface to access an EPS network according to another embodiment of the present invention.
  • the UE sends a binding update request B ind ing Upda t e message to the PDN-GW, so that the PDN-GW binds the local address of the UE and the home address, and establishes a data connection between the UE and the P ⁇ -GW.
  • the PDN-GW determines whether the binding update request message
  • the S6b session of the UE that is, whether the session context of the S6b interface of the UE exists, the session context includes the session identifier Se s s on ID and the user equipment identifier.
  • P ⁇ -GW determines whether a security association is established with the UE, that is, whether the UE has a security context, and the security context includes a security parameter index SP I and a UE identifier. If the S6b interface session of the UE exists, or if an SA is established with the UE, the P-GW has applied to the AAA server for authentication of the UE. In this case, P The ⁇ -GW sends an authentication request to the AAA server.
  • the authentication request message includes a UE identifier and a network identifier.
  • the network identifier includes one or more of the following information: an access network identifier, a security mechanism used in the access network, and an access type. If it is a roaming scenario, the network identifier of the visited network is also included.
  • the AAA server determines, according to the configured policy, whether the user equipment access is a trusted access, and sends an authentication response message to the P ⁇ -GW, where the message includes a trusted relationship cell, and the value is “trusted” or “Non-trusted” or "3GPP", indicating that the user equipment access is a trusted non-3GPP access or non-trusted non-3GPP access or 3GPP access, where the value is "trusted” and the indication is trusted.
  • 3GPP access
  • the AAA server determines whether the user equipment access is trusted access.
  • the method includes: the policy includes a correspondence between the network identifier and the trusted relationship, and the AAA server determines the user equipment according to the network identifier in the authentication request message, and queries the configured policy. Trusted relationship of access. If the policy needs to determine the trusted relationship according to the access network identifier, and the authentication request message does not include the access network identifier, but the access type is included, the AAA server may also construct the access network identifier according to the access type.
  • the specific method is: the access type is generally an integer type representation, such as 0 for WLAN and 2001 for HRPD.
  • the AAA server knows the specific access type description corresponding to the integer of the access type according to the access type, and uses a string to represent the prefix of the access network identifier.
  • the access network prefix is "WLAN”.
  • HRPD "such a string, the access network identifier may have no additional string other than the prefix, or the AAA server itself determines the generation rule.
  • the determining method may be implemented in the following manner:
  • the policy includes a record corresponding to the trusted relationship and the network identifier, and the configured policy data table is configured. If the trusted relationship corresponding to the network identifier is trusted access, the current UE access is determined as Trusted access, the trusted relationship is non-trusted access, and the current UE access is determined to be untrusted access.
  • the P_GW sends a Binding Update Confirm message to the UE.
  • the P ⁇ -GW may initiate a Chi ld SA establishment process with the UE at any time. If the Chi ld SA establishment request initiated by the UE is received, the request is accepted to establish a Chi ld SA.
  • the PDN-GW when the UE accesses the EPC network from the trusted non-3GPP access network through the S2c interface, when the PDN-GW receives the Bind ing Upda te message of the UE, if
  • the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 8 is a schematic flowchart of a method for processing a data security channel of an untrusted non-3GPP access network using an S2c interface to access an EPS network according to another embodiment of the present invention.
  • the method of 7 corresponds, and thus a detailed description thereof will be appropriately omitted.
  • the UE sends a Binding Update Request Binding Upda te message to the P ⁇ _GW, so that the PDN-GW binds the local address of the UE and the home address, and establishes a data connection between the UE and the P ⁇ -GW. 802.
  • the P-GW determines whether the S6b session of the UE already exists or has established a security association with the UE. If the S6b interface session of the UE exists or the SA is established with the UE, the P-GW has applied to the AAA server for authentication of the UE. In this case, P ⁇ - The GW sends an authentication request message to the AAA server.
  • the authentication request message includes a UE identifier, and also includes a network identifier.
  • the network identifier includes one or more of the following information: an access network identifier, a security mechanism used in the access network, and an access type. If it is a roaming scenario, the network identifier of the visited network is also included.
  • the AAA server determines, according to the configured policy, whether the user equipment access is a trusted access, and sends an authentication response message to the P ⁇ -GW, where the message includes a trusted relationship cell, and the value is “trusted” or “ Non-trusted "or” 3GPP", indicating that the current access is a trusted non-3GPP access or non-trusted non-3GPP access or 3GPP access, where the value is "non-trusted” and the indication is non-trusted. 3GPP access. After receiving the message indicating that the user equipment accesses the untrusted access, the P ⁇ -GW does not initiate the Chi ld SA establishment process, and rejects the Chi ld SA establishment request sent by the UE.
  • the way to reject can be:
  • the reason value in Not ify Payload in the response message of the Chi ld SA setup request indicates "N0-ADDITI0NAL-SAS", or "NO.Chi ld.SAS", or other reason value, indicating no Then receive the establishment of Chi ld SA. If there is already a Chi ld SA between the PDN-GW and the UE, the P ⁇ -GW initiates the process of deleting Ch i 1 d S A .
  • the GW-GW sends a Binding Update Confirm message to the UE.
  • the P ⁇ -GW when the UE accesses the EPC network from the non-trusted non-3GPP access network through the S2c interface, when the P ⁇ -GW receives the binding update request B i nd i ng Upda te message of the UE, When the S6b interface session of the UE exists or the SA is established with the UE, the authentication request message is sent to the authentication device, and the user equipment access trusted according to the authentication response message of the authentication device is trusted. Relationship, here is the non-trusted access, establish or update the S2c tunnel data security channel. Therefore, the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 9 is a schematic flowchart of a method for processing a data security channel of a 3GPP access network using an S2c interface to access an EPS network according to another embodiment of the present invention.
  • the UE sends a P ⁇ (Packet Data Network) connection request to the MME.
  • P ⁇ Packet Data Network
  • the MME sends a session establishment request to the P ⁇ -GW to establish a P ⁇ connection for the UE.
  • the session establishment request includes a UE identifier, a P type, a wireless access type, and the like.
  • the P ⁇ type indicates the type of the IP address assigned to the UE by the PDN connection, such as IPv4, IPv6, or IPv4v6.
  • the radio access type indication is 3GPP access at this time, such as E-UTRAN, UTRAN, and the like. If it is switching scenes, then A handover indication is also included in the request message.
  • the P-GW determines whether the S6b session of the UE already exists, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier Ses s ion ID and the user equipment. logo. Or determining whether a security association is established with the UE, that is, whether the UE has a security context, and the security context includes a security parameter index SPI and a UE identifier. If the S6b interface session of the UE exists, or if an SA is established with the UE, the P-GW has applied to the AAA server for authentication of the UE. In this case, P ⁇ - The GW sends an authentication request to the AAA server.
  • the authentication request message includes a UE identifier, and includes a network identifier.
  • the network identifier includes one or more of the following information: an access network identifier and a wireless access type.
  • the AAA server determines, according to the configured policy, whether the user equipment access is a trusted access, and sends an authentication response message to the P-GW, where the message includes a trusted relationship cell, and the value is “trusted” or
  • Non-trusted or “3GPP” indicates that the user equipment access is a trusted non-3GPP access or a non-trusted non-3GPP access or 3GPP access, where the value is "3GPP", indicating 3GPP access.
  • the GW After receiving the message indicating that the current access is a 3GPP access, the GW does not initiate the Chi ld SA establishment process, and rejects the Chi ld SA establishment request sent by the UE.
  • the way to reject can be:
  • the reason value in Not ify Payload in the response message of the Chi ld SA setup request indicates "N0-ADDITI0NAL-SAS", or "NO.Chi ld.SAS", or other reason value, indicating no Then receive the establishment of Chi ld SA. If there is already a Chi ld SA between the PDN-GW and the UE, the P ⁇ -GW initiates the process of deleting the Chi ld SA.
  • the AAA server determines whether the user equipment access is trusted access.
  • the method includes: the policy includes a correspondence between the network identifier and the trusted relationship, and the AAA server determines the user equipment according to the network identifier in the authentication request message, and queries the configured policy. Trusted relationship of access. If the policy needs to determine the trusted relationship according to the access network identifier, and the authentication request message does not include the access network identifier, but the wireless access type is included, the AAA server may also construct the access network identifier according to the wireless access type. .
  • the specific method is as follows:
  • the radio access type is generally an integer type representation, such as 3 for WLAN and 6 for E-UTRAN.
  • the AAA server learns the specific access type description corresponding to the integer of the wireless access type according to the type of the wireless access, and uses a string to represent the prefix of the access network identifier.
  • the access network identifier prefix is a string such as "WLAN” or "E-UTRAN".
  • the access network identifier may have no additional string other than the prefix, or the AAA server may determine the generation rule.
  • the determining method can be implemented as follows:
  • the policy includes a trusted relationship corresponding to the network identifier. Recording, querying the configured policy data table, if the trusted relationship corresponding to the network identifier is trusted access, determining that the user equipment access is trusted access, and the trusted relationship is non-trusted access, determining that the user equipment is connected.
  • the incoming communication is an untrusted access, and the trusted relationship is determined to be 3GPP access for the 3GPP access.
  • the P ⁇ -GW sends a session establishment confirmation message to the MME.
  • ⁇ E sends a response message to the UE for the P ⁇ connection request.
  • the ⁇ E when the UE accesses the EPC network through the 3GPP access network through the S2c interface, the ⁇ E sends a session establishment request message to the P ⁇ -GW according to the P ⁇ connection request of the UE, if the existing S6b interface session of the UE exists. Or, when a security association is established with the UE, the P-GW sends an authentication request message to the authentication device, and according to the trusted relationship of the user equipment access indicated in the response message of the authentication device, The 3GPP access, establish or update the S2c tunnel data security channel. Therefore, the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 10 is a schematic flowchart of a process for processing a data security channel of a 3GPP access network using an S2c interface to access an EPS network according to still another embodiment of the present invention.
  • the P ⁇ -GW receives the packet data network connection establishment request, determines the trusted relationship of the user equipment access according to the information in the setup request message, and establishes or updates the S2c tunnel data security channel.
  • the UE sends a P ⁇ connection request to ⁇ E.
  • the MME sends a session establishment request to the P-GW to establish a PDN connection for the UE.
  • the session establishment request includes information such as a UE identifier, a P type, and a wireless access type.
  • the radio access type indication is 3GPP access at this time, such as E-UTRAN, UTRAN, and the like.
  • the P ⁇ type indicates the type of IP address assigned to the UE by this PDN connection, such as IPv4, IPv6, or IPv4v6. If it is a handover scenario, a handover indication is also included in the request message.
  • the P-GW determines whether the S6b session of the UE already exists, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier Se ss ion ID and the user equipment identifier.
  • the PDN-GW determines whether a security association is established with the UE, that is, whether the security context exists in the UE, and the security context includes the security parameter index SPI and the UE identifier. If the existing S6b interface session of the UE exists or an established SA is established with the UE, the original P ⁇ -GW has applied to the AAA server for authentication authentication for the UE.
  • P ⁇ - The GW determines the trusted relationship of the user equipment access according to the wireless access type information in the session establishment request, and determines that the 3GPP access is at this time.
  • ? ⁇ _0 ⁇ no longer initiates (3 ⁇ 41 ⁇ SA establishment process, if it receives the Chi ld SA establishment request sent by the UE, it rejects.
  • the rejection may be: No ti fy in the response message of the Ch i ld SA establishment request
  • the cause value in Payl oad indicates "N0-ADDITI0NAL-SAS", Or "N0_Ch i ld_SAS", or other reason value, means that the establishment of the Chi Id SA is no longer received. If there is already a Chi Id SA between the PDN-GW and the UE, the J ⁇ J PDN-GW initiates the process of deleting the Chi Id SA.
  • the P ⁇ -GW sends a session establishment confirmation message to the MME.
  • ⁇ E sends a response message to the UE for the P ⁇ connection request.
  • the ⁇ E when the UE accesses the EPC network by the 3GPP access network through the S2c interface, the ⁇ E sends a session establishment request message to the P ⁇ -GW according to the P ⁇ connection request of the UE, and the P ⁇ -GW determines that the UE already exists. If the S6b interface session is established with the security association with the UE, the trusted relationship of the user equipment access is determined according to the information in the session establishment request message, where the 3GPP access is used to establish or update the S2c tunnel data security channel. . Therefore, the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • the P ⁇ -GW receives the security association establishment request of the UE, sends an authentication authentication request message to the authentication device, and establishes or updates the S2c according to the trusted relationship of the user equipment access indicated in the response message of the authentication device. Tunnel data security channel.
  • the UE sends a P ⁇ connection request to ⁇ E.
  • the MME sends a session establishment request to the P_GW, and establishes a PDN connection for the UE.
  • the session establishment request includes the UE identity, P type, and wireless access type.
  • the P ⁇ type indicates the type of the IP address assigned to the UE by the PDN connection, such as IPv4, IPv6, or IPv4v6.
  • the radio access type indication is 3GPP access at this time, such as E-UTRAN, UTRAN, and the like. If it is a handover scenario, a handover indication is also included in the request message.
  • the P_GW sends a session establishment confirmation message to the MME.
  • the MME sends a response message of the P ⁇ connection request to the UE.
  • the UE sends a security association establishment request to the PDN-GW to establish between the UE and the PDN-GW.
  • the SA of the DSMIPv6, the security association establishment request may specifically establish a request message for an SA, such as an IKE authentication request, including an APN (Aces s Po int Name) information.
  • an SA such as an IKE authentication request, including an APN (Aces s Po int Name) information.
  • the P ⁇ _GW sends an authentication authentication request message to the AAA server, and registers the APN and the P ⁇ _GW information, where the request message includes the UE identifier.
  • the network identifier may also be included, and the network identifier includes one or more of the following information: an access network identifier, and a wireless access type.
  • the AAA server determines, according to the configured policy, a trusted relationship of the user equipment access, and sends the trusted relationship.
  • Authentication authentication response message to P ⁇ -GW including trusted relationship cells, with a value of "trusted” or “non-trusted” or “3GPP” or “UNKNOWN", indicated as “3GPP” or “UNKNOWN”, the value "3GPP” indicates that the current 3GPP access, and the value "UNKNOWN” indicates that the AAA server cannot give the trusted relationship of the user equipment access.
  • the P ⁇ -GW receives the message indicating that the trusted relationship is "UNKNOWN”, it determines, according to the wireless access type information in the session establishment request received in step 1102, the trusted relationship of the user equipment access, which is 3GPP. Access.
  • the PDN-GW receives the message that the AAA sends the user equipment to access the 3GPP access, or receives the message indicating that the trusted relationship of the user equipment is "UNKNOWN", and then determines that the user equipment access is the 3GPP access.
  • the Chi ld SA establishment process is no longer initiated, and if the Chi ld SA establishment request sent by the UE is received, it is rejected.
  • the way to reject may be:
  • the reason value in Not i fy Payl oad in the response message of the Chi ld SA setup request indicates "N0-ADDITI0NAL-SAS", or "N0_Ch i ld_SAS", or other reason value, indicating no longer Receive the establishment of Chi Id SA. If there is already a Chi Id SA between the PDN-GW and the UE, the J ⁇ J PDN-GW initiates the process of deleting the Chi Id SA.
  • the AAA server determines whether the user equipment access is trusted access.
  • the method includes: the policy includes a correspondence between the network identifier and the trusted relationship, and the AAA server determines the user equipment according to the network identifier in the authentication request message, and queries the configured policy. Trusted relationship of access. If the policy needs to determine the trusted relationship according to the access network identifier, and the authentication request message does not include the access network identifier, but the wireless access type is included, the AAA server may also construct the access network identifier according to the wireless access type. .
  • the specific method is as follows:
  • the radio access type is generally an integer type representation, such as 3 for WLAN and 6 for E-UTRAN.
  • the AAA server learns the specific access type description corresponding to the integer of the wireless access type according to the type of the wireless access, and uses a string to represent the prefix of the access network identifier.
  • the access network identifier prefix is a string such as "WLAN” or "E-UTRAN".
  • the access network identifier may have no additional string other than the prefix, or the AAA server may determine the generation rule.
  • the determining method may be implemented as follows:
  • the policy includes a record corresponding to the trusted relationship and the network identifier, and the configured policy data table is configured. If the trusted relationship corresponding to the network identifier is a trusted access, the user equipment access is determined to be acceptable. The access is trusted. If the trusted relationship is non-trusted access, the user equipment access is determined to be non-trusted access. If the trusted relationship is 3GPP access, the 3GPP access is determined. If the corresponding record is not found, return "UNKNOWN. " , indicating that the trusted relationship of the user equipment access cannot be determined.
  • the P ⁇ -GW sends a security association setup response message to the UE, where the IP address allocated by the P ⁇ -GW to the UE is included.
  • the P ⁇ -GW receives the security association establishment request of the UE, and then sends an authentication authentication request message to the authentication authentication device, and according to the authentication.
  • the trusted relationship of the user equipment access indicated in the response message of the authentication device, where the indication is 3GPP access or cannot be determined, and the S2c tunnel data security channel is established or updated. Therefore, the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 12 is a block diagram of an authentication authentication device in accordance with one embodiment of the present invention.
  • a non-limiting example of the authentication authentication device 120 of FIG. 12 is the home subscriber server/authentication authentication and accounting server device shown in FIG. 3-5, FIG. 7-9, and includes a receiving unit 1201 and an authentication unit. 1202 and transmitting unit 1203.
  • the receiving unit 1201 is configured to receive an authentication authentication request of the access side.
  • the authentication unit 1202 is configured to authenticate the received authentication request and determine a trusted relationship of the user equipment access.
  • the notification transmitting unit transmits a message containing the trusted relationship indication information to the P ⁇ -GW.
  • the sending unit 1203 is configured to send a message including the trusted relationship indication information to the P ⁇ -GW.
  • the embodiment of the present invention When receiving the authentication authentication request of the access side, the embodiment of the present invention confirms the trusted relationship of the user equipment access, and if the existing S6b interface session of the UE exists, the information about the user equipment access trusted relationship is sent.
  • the message to P ⁇ -GW enables P ⁇ -GW to correctly establish and update the S2c tunnel data security channel.
  • the receiving unit 1201 receives the authentication authentication request sent by the access side.
  • the receiving unit receives the authentication authentication request of the access side, and applies for authentication authentication for the current access.
  • the access side here refers to the trusted non-3GPP access network, when the UE accesses from the non-trusted non-3GPP access network.
  • the access side here refers to a non-trusted non-3GPP access network or ePDG.
  • the authentication unit 1202 determines whether the current user equipment access is trusted access or non-trusted access according to the parameter carried in the received authentication request, and the parameter includes one or more of the following: ANID, the visited network identifier Visi ted Ne twork Ident i ty (this identifier is only required in the roaming scenario), the access type, the security mechanism used in the access network, and so on.
  • the authentication unit determines whether the user equipment access is a trusted access according to the configured policy, and the policy includes the correspondence between the access network identifier (the network identifier that needs to be visited in the roaming scenario) and the trusted relationship.
  • the determining method may be: determining, according to the access network identifier in the authentication authentication request message (the network identifier that needs to be visited in the roaming scenario), querying the configured policy to determine the trusted relationship of the user equipment access. If the access network identifier is not included in the authentication request message, the access network identifier needs to be constructed according to the access type identifier.
  • the access type is generally an integer type representation, such as 0 for WLAN and 2001 for HRPD.
  • the access network prefix is a string such as "WLAN" or "HRPD”.
  • the authentication unit 1202 searches the table for the specific access type description corresponding to the integer of the access type according to the access type, and uses a string to indicate The prefix of the access network identifier.
  • the access network identifier may have no additional string other than the prefix, or the generation rule is determined by the authentication device itself.
  • the method for determining the method may be as follows: Query the configured policy data table, and find a trusted relationship corresponding to the access network identifier (the network identifier that needs to be visited in the roaming scenario), and determine the current connection if the trusted relationship is trusted access.
  • the incoming access is a trusted access, and the trusted relationship is an untrusted access, and the current access is determined to be an untrusted access.
  • the authentication unit determines whether the S6b session of the access UE already exists, that is, whether the UE is already available.
  • the session context of the S6b interface exists.
  • the session context includes the session ID and the user ID. If the S6b interface session of the UE exists, it indicates that the original P ⁇ -GW has applied for authentication authentication for the UE to the authentication device. At this time, the authentication unit notifies the sending unit to send a message to the PDN-GW, which includes information indicating that the user equipment accesses the trusted relationship, that is, whether the user equipment access is a trusted non-3GPP access or a non-trusted non-3GPP access. .
  • the sending unit 1203 sends a message to the P ⁇ -GW, including the trusted relationship cell, and the value is “trusted” or “non-trusted”, “trusted” is represented as trusted access, and “untrusted” is represented. For non-trusted access.
  • the P ⁇ -GW establishes or updates the S2c tunnel data security channel according to the received trusted relationship of the user equipment access.
  • the authentication unit determines the trusted relationship of the user equipment access.
  • the sending unit sends The message including the user equipment accessing the trusted relationship information is sent to the P ⁇ -GW, so that the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • FIG. 13 is a block diagram of a gateway device in accordance with another embodiment of the present invention.
  • a non-limiting example of the gateway device 1 30 of FIG. 13 is a packet data gateway shown in FIG. 3-5, FIG. 7-11, including a receiving unit 1 301, a acknowledgment unit 1 302, a transmitting unit 1 303, and an establishing unit. 1 304.
  • the receiving unit 1 301 receives the packet data network connection establishment request of the user equipment, and receives the authentication response message sent by the authentication device, where the authentication response message includes the trusted relationship information accessed by the user equipment; the acknowledgment unit 1 302 receives at the receiving unit.
  • the notification sending unit sends an authentication request message to the authentication device; the sending unit 1303 Right
  • the certificate device sends the authentication request message; the establishing unit 1304 establishes or updates the S2c tunnel data security channel according to the trusted relationship information in the authentication response message.
  • the gateway device when the gateway device receives the packet data network connection establishment request, the gateway device sends an authentication request message to the authentication device, and establishes or updates according to the trusted relationship of the user equipment access indicated in the authentication response message of the authentication device. S2c tunnel data security channel.
  • the receiving unit 1301 receives a packet data network connection establishment request of the user equipment.
  • the received packet data network connection establishment request is a binding update Binding Upda te message sent by the UE; when the UE accesses the EPC from the 3GPP access network by the S2c interface
  • the received packet data network connection establishment request is a session establishment message sent by the user E, and the session establishment message is sent after the mobility management network element receives the packet data network connection request sent by the user equipment.
  • the acknowledgment unit 1302 confirms whether the S6b session of the UE is currently present, that is, whether the session context of the S6b interface of the UE exists.
  • the session context includes the session identifier Ses s ion ID and the user equipment identifier.
  • the acknowledgment unit confirms whether a security association is established with the UE, that is, whether the UE has a security context, and the security context includes a security parameter index SPI and a UE identifier. If the existing S6b interface session of the UE exists or an established SA is established with the UE, the original gateway device has applied for authentication authentication for the UE to the authentication device. At this time, the notification transmitting unit 1303 transmits an authentication request to the authentication authentication device.
  • the receiving unit 1301 receives the authentication response message returned by the authentication device, where the message includes information indicating the current trusted relationship, that is, the current access is a trusted non-3GPP access, a non-trusted non-3GPP access, or a 3GPP access. .
  • the specific manner is that the message includes a trusted relationship cell, and the value is "trusted” or “non-trusted” or "3GPP", indicating that the current access is a trusted 3GPP access or an untrusted 3GPP access or a 3GPP access.
  • the establishing unit 1304 establishes or updates the S2c tunnel data security channel according to the trusted relationship of the user equipment access indicated in the received response message.
  • the establishing unit may initiate a Chi ld SA establishment procedure with the UE at any time. If the Chi ld SA establishment request initiated by the UE is received, the request is accepted to establish a Chi ld SA.
  • the Chi ld SA establishment process is not initiated, and if the Chi ld SA establishment request sent by the UE is received, the refusal is performed.
  • the way to reject can be:
  • the reason value in Not ify Payload in the response message of the Chi ld SA setup request indicates "N0-ADDITI0NAL-SAS", or "NO.Chi ld.SAS", or other reason value, indicating no Reconnect Receive the establishment of Chi ld SA. If there is already a Chi ld SA between the gateway device and the UE, the establishing unit initiates a process of deleting the Chi ld SA.
  • the gateway device of the embodiment of the present invention receives the packet data network connection establishment request, if the existing S6b interface session of the UE exists or an existing security association is established with the UE, the gateway device sends an authentication request to the authentication authentication.
  • the device establishes or updates the S2c tunnel data security channel according to the trusted relationship of the user equipment access indicated in the response message of the authentication device, so that the UE establishes or updates the S2c correctly when the UE accesses the EPS network through the S2c interface. Tunnel data security channel.
  • FIG. 14 is a block diagram of a gateway device in accordance with yet another embodiment of the present invention.
  • a non-limiting example of the gateway device 140 of FIG. 14 is the packet data gateway shown in FIGS. 10 and 11, and includes a receiving unit 1401, a confirming unit 1402, and an establishing unit 1403.
  • the receiving unit 1401 receives a packet data network connection establishment request of the user equipment.
  • the acknowledgment unit 1402 confirms that if there is an S6b session of the user equipment or a security association with the user equipment, the current unit 1 determines the current access type information according to the request. Trusted relationship of user equipment access.
  • the establishing unit 1403 establishes or updates a data security channel of the S2c tunnel according to the trusted relationship of the user equipment access determined by the confirming unit.
  • the receiving unit 1401 receives the packet data network connection establishment request of the user equipment, where the packet data network connection establishment request is a session establishment message sent by the E, and the session establishment message is a packet data network connection request sent by the mobility management network element to the user equipment. After sending.
  • the session establishment request includes information such as a UE identifier, a P type, and a wireless access type.
  • the radio access type indication is 3GPP access at this time, such as E_UTRAN, UTRAN, and the like.
  • the P ⁇ type indicates the type of IP address assigned to the UE by this P ⁇ connection, such as IPv4, IPv6, or IPv4v6. If the scenario is switched, a handover indication is also included in the request message.
  • the acknowledgment unit 1402 confirms whether the S6b session of the UE already exists, that is, whether the session context of the S6b interface of the UE exists, and the session context includes the session identifier Ses s ion ID and the user equipment identifier. Or the acknowledgment unit 1402 confirms whether a security association is established with the UE, that is, whether the UE has a security context, and the security context includes a security parameter index SPI and a UE identifier. If the S6b interface session of the UE exists or the SA is established with the UE, the original gateway device has applied for authentication authentication for the UE to the authentication device. At this time, the confirming unit determines the trusted relationship of the current user equipment access according to the wireless access type information in the packet data network connection establishment request received by the receiving unit, and determines that the 3GPP access is at this time.
  • the establishing unit 1403 establishes or according to the trusted relationship of the user equipment access determined by the confirming unit. Update the S2c tunnel data security channel. If the user equipment access is a 3GPP access, the establishing unit does not initiate the Chi ld SA establishment process, and if it receives the Chi ld SA establishment request sent by the UE, it rejects.
  • the way to reject may be:
  • the reason value in Not ify Payload in the response message of the Chi ld SA setup request indicates "N0-ADDITI0NAL-SAS", or "NO.Chi ld.SAS", or other reason value, indicating no Then receive the establishment of Chi ld SA. If there is already a Chi ld SA between the gateway device and the UE, the establishing unit initiates a process of deleting the Chi ld SA.
  • the ⁇ E when the UE accesses the EPC network by the 3GPP access network through the S2c interface, the ⁇ E sends a session establishment request message to the gateway device according to the P ⁇ connection request of the UE, and the gateway device confirms whether the S6b interface session of the UE already exists. Or the security association is established with the UE. If an S6b interface session is established or an SA is established with the UE, the trusted relationship of the user equipment access is determined according to the information in the session establishment request message.
  • the 3GPP access establishes or updates the S2c tunnel data security channel. Therefore, the P ⁇ -GW can distinguish the access scenario and complete the establishment or update of the data security channel.
  • a communication system in accordance with an embodiment of the present invention may include the authentication authentication device 120 and/or the gateway device 130 described above.
  • the communication system may also include the authentication authentication device 120 and/or the gateway device 140 described above.
  • the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, for clarity of hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division, and may be implemented in actual implementation.
  • multiple units or components may be combined or integrated into another system, or some features may be omitted or not implemented.
  • the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the components displayed for the unit may or may not be physical units, ie may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software function unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention may contribute to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention se rapporte à un procédé et à un dispositif de gestion de canal de sécurité de données en tunnel. Le procédé selon l'invention consiste : à recevoir une demande d'authentification et d'autorisation en provenance du côté d'accès, et à déterminer une relation de confiance à laquelle accède un équipement d'utilisateur ; quand une session d'interface S6b de l'équipement d'utilisateur existe, à envoyer à une passerelle de données par paquets un message contenant des informations relatives au fait que l'équipement d'utilisateur accède à la relation de confiance, de telle sorte que la passerelle de données par paquets établisse ou mette à jour un canal de sécurité de données en tunnel S2c, sur la base des informations relatives à la relation de confiance. Dans les modes de réalisation de la présente invention, quand un équipement d'utilisateur accède à un réseau EPS via une interface S2c, à réception d'une demande d'authentification et d'autorisation en provenance du côté d'accès, si une session d'interface S6b de l'équipement d'utilisateur accédant existe, un message contenant des informations relatives au fait que l'équipement d'utilisateur accède à la relation de confiance est alors envoyé à une passerelle de données par paquets, de telle sorte que la passerelle de données par paquets puisse obtenir la relation de confiance selon laquelle l'équipement d'utilisateur accède au réseau EPS via l'interface S2c, ce qui garantit l'établissement ou la mise à jour corrects d'un canal de sécurité de données en tunnel S2c.
PCT/CN2011/081738 2011-11-03 2011-11-03 Procédé et dispositif de gestion de canal de sécurité de données WO2013063783A1 (fr)

Priority Applications (5)

Application Number Priority Date Filing Date Title
JP2014539203A JP5922785B2 (ja) 2011-11-03 2011-11-03 データセキュリティチャネル処理方法およびデバイス
EP11874986.0A EP2763357B1 (fr) 2011-11-03 2011-11-03 Procédé et dispositif de gestion de canal de sécurité de données
CN201180002592.5A CN103201986B (zh) 2011-11-03 2011-11-03 一种数据安全通道的处理方法及设备
PCT/CN2011/081738 WO2013063783A1 (fr) 2011-11-03 2011-11-03 Procédé et dispositif de gestion de canal de sécurité de données
US14/269,965 US9800563B2 (en) 2011-11-03 2014-05-05 Method and device for processing data security channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/081738 WO2013063783A1 (fr) 2011-11-03 2011-11-03 Procédé et dispositif de gestion de canal de sécurité de données

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/269,965 Continuation US9800563B2 (en) 2011-11-03 2014-05-05 Method and device for processing data security channel

Publications (1)

Publication Number Publication Date
WO2013063783A1 true WO2013063783A1 (fr) 2013-05-10

Family

ID=48191214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/081738 WO2013063783A1 (fr) 2011-11-03 2011-11-03 Procédé et dispositif de gestion de canal de sécurité de données

Country Status (5)

Country Link
US (1) US9800563B2 (fr)
EP (1) EP2763357B1 (fr)
JP (1) JP5922785B2 (fr)
CN (1) CN103201986B (fr)
WO (1) WO2013063783A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016101267A1 (fr) * 2014-12-26 2016-06-30 华为技术有限公司 Procédé, dispositif et système de commande pour accéder à des réseaux locaux sans fil non sécurisés d'un équipement d'utilisateur

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103024737B (zh) * 2011-09-23 2017-08-11 中兴通讯股份有限公司 可信任非3gpp接入网元、接入移动网络及去附着方法
EP2763357B1 (fr) 2011-11-03 2019-03-13 Huawei Technologies Co., Ltd. Procédé et dispositif de gestion de canal de sécurité de données
CN104506406B (zh) * 2011-11-03 2018-10-30 华为技术有限公司 一种鉴权认证设备
MX2015008696A (es) * 2013-01-04 2016-02-25 Huawei Tech Co Ltd Metodo, aparato y sistema para seleccionar compuerta pdn.
KR102279486B1 (ko) * 2014-03-13 2021-07-20 삼성전자 주식회사 무선 통신 시스템에서 연결을 생성하는 방법 및 장치
WO2015184418A1 (fr) * 2014-05-29 2015-12-03 T-Mobile Usa, Inc. Appel wi-fi à l'aide d'un combiné sip-ims et passerelle évoluée de données par paquets
CN104184821B (zh) * 2014-08-29 2017-11-28 北京奇虎科技有限公司 基于推送通知的会话及终端应答反馈的方法和装置
US9420463B2 (en) * 2014-09-30 2016-08-16 Sap Se Authorization based on access token
US9807669B1 (en) * 2014-10-24 2017-10-31 Sprint Communications Company L.P. Identifying communication paths based on packet data network gateway status reports
JP6463838B2 (ja) 2014-11-14 2019-02-06 ノキア ソリューションズ アンド ネットワークス オサケユキチュア 信頼できないアクセスのための位置情報
FR3039954A1 (fr) * 2015-08-05 2017-02-10 Orange Procede et dispositif d'identification de serveurs d'authentification visite et de domicile
FR3039953A1 (fr) * 2015-08-05 2017-02-10 Orange Procedes et dispositifs d'identification d'un serveur d'authentification
WO2017159970A1 (fr) * 2016-03-17 2017-09-21 엘지전자(주) Procédé servant à effectuer le réglage de sécurité d'un terminal dans un système de communication sans fil et appareil associé
JP6151819B2 (ja) * 2016-04-14 2017-06-21 ▲ホア▼▲ウェイ▼技術有限公司Huawei Technologies Co.,Ltd. データセキュリティチャネル処理方法およびデバイス
US11096053B2 (en) 2016-11-07 2021-08-17 Lg Electronics Inc. Method for managing session
US20180212916A1 (en) * 2017-01-23 2018-07-26 Marshall Schaffer Systems and methods for verification and mapping of social connections
RU2745719C2 (ru) * 2017-02-07 2021-03-31 АйПиКОМ ГМБХ УНД КО. КГ Реализация функции межсетевого взаимодействия с использованием недоверенной сети
CN110099382B (zh) * 2018-01-30 2020-12-18 华为技术有限公司 一种消息保护方法及装置
US10924480B2 (en) 2018-02-28 2021-02-16 Cisco Technology, Inc. Extended trust for onboarding
CN112217769B (zh) * 2019-07-11 2023-01-24 奇安信科技集团股份有限公司 基于隧道的数据解密方法、加密方法、装置、设备和介质
GB2586223A (en) * 2019-08-05 2021-02-17 British Telecomm Conditional message routing in a telecommunications network
CN114584341B (zh) * 2022-01-14 2023-06-16 苏州浪潮智能科技有限公司 一种零边界可信任网络架构系统、数据处理方法、装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106812A (zh) * 2006-07-11 2008-01-16 华为技术有限公司 通信网络及用户设备接入方法
CN101316205A (zh) * 2007-05-28 2008-12-03 华为技术有限公司 触发安全隧道建立方法及其装置
WO2011104149A1 (fr) * 2010-02-23 2011-09-01 Alcatel Lucent Transport d'informations relatives à un service ip multi-opérateurs entre équipement utilisateur et cœur de paquets évolué 3gpp

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431797B (zh) * 2007-05-11 2012-02-01 华为技术有限公司 一种注册处理方法、系统及装置
EP2037652A3 (fr) * 2007-06-19 2009-05-27 Panasonic Corporation Méthodes et appareils pour detecter si un équipement utilisateur se trouve dans un réseau d'accès fiable ou un réseau d'accès non fiable
EP2091204A1 (fr) * 2008-02-18 2009-08-19 Panasonic Corporation Découverte d'agent domestique selon le changement de schéma de gestion de mobilité
US8607309B2 (en) * 2009-01-05 2013-12-10 Nokia Siemens Networks Oy Trustworthiness decision making for access authentication
US9888613B2 (en) 2010-11-02 2018-02-06 Mitsubishi Electric Corporation Power module for electric power steering and electric power steering drive control apparatus using the same
EP2763357B1 (fr) 2011-11-03 2019-03-13 Huawei Technologies Co., Ltd. Procédé et dispositif de gestion de canal de sécurité de données

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106812A (zh) * 2006-07-11 2008-01-16 华为技术有限公司 通信网络及用户设备接入方法
CN101316205A (zh) * 2007-05-28 2008-12-03 华为技术有限公司 触发安全隧道建立方法及其装置
WO2011104149A1 (fr) * 2010-02-23 2011-09-01 Alcatel Lucent Transport d'informations relatives à un service ip multi-opérateurs entre équipement utilisateur et cœur de paquets évolué 3gpp

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Technical Specification Group Core Network and Terminals; Evolved Packet System (EPS); 3GPP EPS AAA interfaces (Release 9)", 3GPP TS 29.273 V9.2.0, 31 March 2010 (2010-03-31), XP050402267 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016101267A1 (fr) * 2014-12-26 2016-06-30 华为技术有限公司 Procédé, dispositif et système de commande pour accéder à des réseaux locaux sans fil non sécurisés d'un équipement d'utilisateur
CN105934918A (zh) * 2014-12-26 2016-09-07 华为技术有限公司 用户设备的非可信无线局域网接入控制方法、设备和系统

Also Published As

Publication number Publication date
CN103201986B (zh) 2014-12-10
JP2015501605A (ja) 2015-01-15
EP2763357B1 (fr) 2019-03-13
EP2763357A1 (fr) 2014-08-06
US20140245403A1 (en) 2014-08-28
US9800563B2 (en) 2017-10-24
JP5922785B2 (ja) 2016-05-24
CN103201986A (zh) 2013-07-10
EP2763357A4 (fr) 2014-10-29

Similar Documents

Publication Publication Date Title
WO2013063783A1 (fr) Procédé et dispositif de gestion de canal de sécurité de données
US20220225263A1 (en) Interworking function using untrusted network
KR101814969B1 (ko) 네트워크에 액세스하는 시스템 및 방법
US8621570B2 (en) Access through non-3GPP access networks
US11503469B2 (en) User authentication method and apparatus
US9503881B2 (en) Method, device, and system for user equipment to access evolved packet core network
WO2019017837A1 (fr) Procédé de gestion de sécurité de réseau et appareil
WO2008131689A1 (fr) Procédé et système de fourniture d'un service de communication d'urgence et dispositifs correspondants
WO2012167500A1 (fr) Procédé d'établissement d'un canal de données de sécurité destiné à un tunnel
WO2018170617A1 (fr) Procédé d'authentification d'accès au réseau basé sur un réseau non 3gpp, et dispositif et système associés
WO2013016968A1 (fr) Procédé et système d'accès, et point d'accès intelligent mobile
WO2013189217A1 (fr) Procédé pour mettre à jour des informations d'identité au sujet d'une passerelle de paquets, serveur aaa et passerelle de paquets
CN111726228B (zh) 使用互联网密钥交换消息来配置活动性检查
WO2016155012A1 (fr) Procédé d'accès dans un réseau de communication sans fil, dispositif et système associés
WO2010094244A1 (fr) Procédé, dispositif et système pour réaliser une authentification d'accès
WO2012003760A1 (fr) Procédé et système de transmission d'informations
WO2009152676A1 (fr) Serveur aaa, p-gw, pcrf, procédé et système d'obtention de l'identifiant d'un équipement utilisateur
WO2009012675A1 (fr) Passerelle de réseau d'accès, terminal, procédé et système pour établir une connexion de données
WO2011116713A2 (fr) Procédé, dispositif et système pour terminal de communication de type machine (mtc) communiquant avec un réseau via une passerelle
EP2317694A1 (fr) Procédé de transmission d'options de configuration du protocole, système et équipement utilisateur s'y rapportant
WO2010069202A1 (fr) Procédé de négociation d'authentification et système associé, passerelle de sécurité, noeud local b
WO2011035667A1 (fr) Procédés et systèmes pour réaliser une itinérance interréseau, interroger et rattacher un réseau
WO2018058365A1 (fr) Procédé d'autorisation d'accès au réseau, et dispositif et système associés
WO2013174190A1 (fr) Procédé de sélection de routage et élément de réseau fonctionnel
WO2010139285A1 (fr) Procédé de synchronisation d'informations, système de communication et dispositifs associés

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11874986

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011874986

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2014539203

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE